Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

WinXPhome CWS.Look2Me, BookedSpace, BrowserAid [RESOLVED]


  • This topic is locked This topic is locked

#16
KGHN

KGHN

    Member

  • Topic Starter
  • Member
  • PipPip
  • 66 posts
Hi Tampabelle, happy 4th,

BTW, how do you see a list in Killbox to double check you've put them all in right?
I think I managed, though.

FYI On restart it complained about hklrun.exe and neyrcor.dll.

Here's my QooLogic log:
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
some examples are MRT.EXE NTDLL.DLL.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* KavSvc C:\WINDOWS\System32\NEYRCOR.DLL
* aspack C:\WINDOWS\System32\WQGPY.DAT
* aspack C:\WINDOWS\System32\NEYRCOR.DLL
»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* exe C:\docume~1\alluse~1\startm~1\programs\startup\RDUN.EXE

»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x77f75fae

Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
BigFix.lnk
desktop.ini
QuickBooks Update Agent.lnk
rdun.exe

User Startup:
C:\Documents and Settings\Tina\Start Menu\Programs\Startup
.
..
desktop.ini

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
<NO NAME> REG_SZ {9F97547E-4609-42C5-AE0C-81C61FFAEBC3}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
<NO NAME> REG_SZ {57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\mgsfktfg
<NO NAME> REG_SZ {419e87e8-6c0f-4961-a405-3b2f2e4b6592}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
<NO NAME> REG_SZ {750fdf0e-2a26-11d1-a3ea-080036587f03}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
<NO NAME> REG_SZ {09799AFB-AD67-11d1-ABCD-00C04FC30936}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
<NO NAME> REG_SZ {A470F8CF-A1E8-4f65-8335-227475AA5C46}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\TDS-3
<NO NAME> REG_SZ {E8ADA3E1-CE9B-44A0-A165-997304EF4E18}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
<NO NAME> REG_SZ Start Menu Pin

Sorry I caused you alarm with my explorations. I will try to be good and just follow directions henceforth.

Kate
  • 0

Advertisements


#17
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi Kate,

It caused me alarm because you were deleting / trying to delete genuine and critical windows files. Killbox doesnt allow you to verify the list of files. We will have to do this again -
  • Please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.
  • Once in Safe Mode, please run Killbox.
  • Click "Replace on Reboot" and check the "Use Dummy" box.
  • Paste the following into the top "Full Path of File to Delete" box.
    • C:\WINDOWS\System32\IRGUV.DLL
  • Click the red-and-white "Delete File".
  • Click "Yes" at the Replace on Reboot prompt.
  • Click "No" at the Pending Operations prompt.
  • Repeat steps 5-9 above for these files:
    • C:\WINDOWS\System32\NEYRCOR.DLL
    • C:\WINDOWS\System32\SUPDATE.DLL
    • C:\WINDOWS\System32\WQGPY.DAT
    • C:\docume~1\alluse~1\startm~1\programs\startup\RDUN.EXE
    • C:\WINDOWS\System32\DCXBQRB.EXE
    • C:\WINDOWS\System32\HKLRUN.EXE
    • C:\WINDOWS\System32\REDIT.CPL
    • C:\WINDOWS\System32\PSOF1.EXE
    • C:\WINDOWS\CASINO~1.EXE
    • C:\WINDOWS\DLOAD.EXE
  • Click "Replace on Reboot" and check the "Use Dummy" box.
  • Paste the following file into the top "Full Path of File to Delete" box.
    • C:\WINDOWS\LOADASP.EXE
  • Click the red-and-white "Delete File" button.
  • Click "Yes" at the Replace on Reboot prompt.
  • Click "Yes" at the Pending Operations prompt to restart your computer. You do not need to reboot into Safe Mode this time.
  • When your computer reboots, please run Find-Qoologic2.bat again and post the new log here.

  • 0

#18
KGHN

KGHN

    Member

  • Topic Starter
  • Member
  • PipPip
  • 66 posts
Hi Tampabelle,
I took you last post in a Notepad file on a floppy to the XP, and used the cut-and-paste instead of typing into Killbox. Here's our new QooLogic run:
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
some examples are MRT.EXE NTDLL.DLL.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x77f75fae

Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
BigFix.lnk
desktop.ini
QuickBooks Update Agent.lnk
RDUN.EXE

User Startup:
C:\Documents and Settings\Tina\Start Menu\Programs\Startup
.
..
desktop.ini

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
<NO NAME> REG_SZ {9F97547E-4609-42C5-AE0C-81C61FFAEBC3}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
<NO NAME> REG_SZ {57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\mgsfktfg
<NO NAME> REG_SZ {419e87e8-6c0f-4961-a405-3b2f2e4b6592}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
<NO NAME> REG_SZ {750fdf0e-2a26-11d1-a3ea-080036587f03}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
<NO NAME> REG_SZ {09799AFB-AD67-11d1-ABCD-00C04FC30936}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
<NO NAME> REG_SZ {A470F8CF-A1E8-4f65-8335-227475AA5C46}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\TDS-3
<NO NAME> REG_SZ {E8ADA3E1-CE9B-44A0-A165-997304EF4E18}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
<NO NAME> REG_SZ Start Menu Pin

Thanks, Kate
  • 0

#19
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Please run Notepad and paste the following text into a new file:

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\mgsfktfg]


Save the file to the desktop as fix.reg and make sure the "Save as Type" field says "All Files". Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry.

Reboot the PC and post a fresh HJT log as well as a Find_Qoologic log here.
  • 0

#20
KGHN

KGHN

    Member

  • Topic Starter
  • Member
  • PipPip
  • 66 posts
Hello again,
Here's our new HJT result:
Logfile of HijackThis v1.99.1
Scan saved at 3:36:51 PM, on 7/5/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\mHotkey.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\aim\aim.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\hklrun.exe reg_run
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [J0q2Rkjng] mshplwiz.exe
O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
O4 - HKCU\..\Run: [sfita] C:\WINDOWS\sfita.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [SMSSU] C:\WINDOWS\System32\SMSSU.EXE
O4 - HKCU\..\Run: [Tmntsrv32] C:\WINDOWS\System32\Tmntsrv32.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: RDUN.EXE
O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O15 - Trusted Zone: *.sxload.com
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Here's QooLogic:
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
some examples are MRT.EXE NTDLL.DLL.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x77f75fae

Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
BigFix.lnk
desktop.ini
QuickBooks Update Agent.lnk
RDUN.EXE

User Startup:
C:\Documents and Settings\Tina\Start Menu\Programs\Startup
.
..
desktop.ini

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
<NO NAME> REG_SZ {9F97547E-4609-42C5-AE0C-81C61FFAEBC3}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
<NO NAME> REG_SZ {57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
<NO NAME> REG_SZ {750fdf0e-2a26-11d1-a3ea-080036587f03}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
<NO NAME> REG_SZ {09799AFB-AD67-11d1-ABCD-00C04FC30936}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
<NO NAME> REG_SZ {A470F8CF-A1E8-4f65-8335-227475AA5C46}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\TDS-3
<NO NAME> REG_SZ {E8ADA3E1-CE9B-44A0-A165-997304EF4E18}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
<NO NAME> REG_SZ Start Menu Pin

Thanks, and I look forward to your next post.
KGHN
  • 0

#21
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi Kate,

Please disconnect the PC from the internet. If you have DSL / Cable connectivity, then remove the cord between the modem and the PC.

Please exit from SpyBot S&D. This will interfere with the fix and is therefore being disabled temporarily.

Run Hijack This and click on scan. The following items need to be fixed -

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\hklrun.exe reg_run
O4 - HKCU\..\Run: [J0q2Rkjng] mshplwiz.exe
O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
O4 - HKCU\..\Run: [sfita] C:\WINDOWS\sfita.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [SMSSU] C:\WINDOWS\System32\SMSSU.EXE
O4 - HKCU\..\Run: [Tmntsrv32] C:\WINDOWS\System32\Tmntsrv32.EXE
O4 - Global Startup: RDUN.EXE
O15 - Trusted Zone: *.sxload.com


Close all windows other than Hijack This. Check the boxes next to above items and click on Fix checked.


Reboot the PC in Safe Mode.

Open Add or Remove Programs (click on Start ---> Settings ---> Control panel. This should be the 3rd item). Uninstall or remove the following items -

WhenUSearch / WhenUSearch Desktop Toolbar / Desktop Toolbar [WhenUSearch]

Open Windows Explorer (right click on Start and then click on explore). Locate and delete the following folders and files -

C:\Program Files\sf
C:\Program Files\Cas

C:\WINDOWS\sfita.exe
C:\WINDOWS\System32\hklrun.exe
C:\WINDOWS\System32\SMSSU.EXE
C:\WINDOWS\System32\Tmntsrv32.EXE
mshplwiz.exe
RDUN.EXE


Clear out the files in the Prefetch folder. Go to start> run> type into the box Prefetch and delete all the files in that folder. Dont delete the folder, only the files in it !!!!!!!!


Reboot the PC in Normal Mode.

Run SpyBot S&D.

Run Hijack This and post a fresh HJT log
  • 0

#22
KGHN

KGHN

    Member

  • Topic Starter
  • Member
  • PipPip
  • 66 posts
Hi Tampabelle,

XP machine is already disconnected from the internet.
I removed SpyBot S&D a while back, so it isn't running.

Scanned with Hijack This, checked items:
ok R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
ok R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
ok R3 - Default URLSearchHook is missing
ok O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\hklrun.exe reg_run
ok O4 - HKCU\..\Run: [J0q2Rkjng] mshplwiz.exe
ok O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
ok O4 - HKCU\..\Run: [sfita] C:\WINDOWS\sfita.exe
ok O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
ok O4 - HKCU\..\Run: [SMSSU] C:\WINDOWS\System32\SMSSU.EXE
ok O4 - HKCU\..\Run: [Tmntsrv32] C:\WINDOWS\System32\Tmntsrv32.EXE
ok O4 - Global Startup: RDUN.EXE
ok O15 - Trusted Zone: *.sxload.com

???why is it showing TeaTImer? The \Program Files\Spybot - Search & Destroy folder just has a subfolder in it, no files.???

Closed windows other than Hijack This. Clicked on Fix checked.

Tried to reboot the PC in Safe Mode. On the first try, I had left a floppy in A: (not bootable), and I had to press a key. So even though I had pressed F8 several times, it booted to the regular login. I restarted to Safe and logged in Administrator.

Went to Control Panel / Add or Remove Programs

Not found:
WhenUSearch / WhenUSearch Desktop Toolbar / Desktop Toolbar [WhenUSearch]

FYI List of possibly suspicious stuff on the Add/Remove list (I didn't touch them, just letting you know):
Casino Tropez 62.59MB
Content Delivery Module 1.62MB
Display Utility (no size)
Google Toolbar for Internet Explorer (0.28MB)
Internet Update (no size)
PartyPoker 9.31MB
Personal Money Tree 0.41MB
Quick Links 0.02MB
Search Fast Communicator 1.0

OK, to continue...

Open Windows Explorer (right click on Start and then click on explore). Locate and delete the following folders and files -

C:\Program Files\sf - not seen by explore
C:\Program Files\Cas - not seen by explore, there is a "CasStub" I didn't disturb it.

C:\WINDOWS\sfita.exe - not seen by explore
C:\WINDOWS\System32\hklrun.exe - present but not deletable - "in use"
C:\WINDOWS\System32\SMSSU.EXE - not seen by explore, there is a "SMSS.EXE" I didn't disturb it.
C:\WINDOWS\System32\Tmntsrv32.EXE - not seen by explore

mshplwiz.exe - not in C:\WINDOWS\System32
RDUN.EXE - not in C:\WINDOWS\System32, per CMD DIR there are copies in \HJT (that I put there) and \BU050627\Documents and Settings\All Users\Start Menu\Programs\Startup - I didn't disturb them.
Where did you want me to look for them?

Clear out the files in the Prefetch folder. Done, 55 items.

Rebooted Normal / login Tina.
Installed SpyBot S&D & loaded definition files. (Did not install realtime protection.)
Scan showed:
CoolWWWSearch/IE start page
Delfin Project/Settings
DyFuCA/Settings
Pacimedia/Settings

I asked it to fix all, it said 4 problems fixed. Restarted normally/Tina

Ran Hijack This, here's the log:
Logfile of HijackThis v1.99.1
Scan saved at 5:34:44 PM, on 7/5/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\mHotkey.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\aim\aim.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

KGHN
  • 0

#23
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi kate,

lets try this one more time. Chances are the files may have been hidden.

Please visit this page - http://www.geekstogo...02&f=37&t=40142 - and to learn more about how to see hidden and system files.

Reboot the PC in Safe Mode.

Please delete the following files -

C:\Program Files\sf
C:\Program Files\Cas

C:\WINDOWS\sfita.exe
C:\WINDOWS\System32\hklrun.exe
C:\WINDOWS\System32\SMSSU.EXE
C:\WINDOWS\System32\Tmntsrv32.EXE
mshplwiz.exe
RDUN.EXE - (all instances of the file)
CasStub - (file that you saw)


Reboot the PC.

Let me know how the deletion of files went and also how the PC is behaving !!!!!!!!!
  • 0

#24
KGHN

KGHN

    Member

  • Topic Starter
  • Member
  • PipPip
  • 66 posts
Hi again Tampabelle,

I booted Safe/Administrator.

OMG, you may be right that the files may have been hidden. I thought I had this sucker set up to show everything.

http://www.geekstogo...02&f=37&t=40142 - this link didn't work for me. However, per your help earlier, I followed the bleeping computer instructions for the XP that you linked me to some time back:
Windows XP
To enable the viewing of Hidden files follow these steps:
1. Close all programs so that you are at your desktop.
2. Double-click on the My Computer icon.
3. Select the Tools menu and click Folder Options.
4. After the new window appears select the View tab.
5. Put a checkmark in the checkbox labeled Display the contents of system folders.
6. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
7. Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
8. Remove the checkmark from the checkbox labeled Hide protected operating system files.
9. Press the Apply button and then the OK button and shutdown My Computer.
10. Now your computer is configured to show all hidden files.

I just double checked the configuration, and it has reverted to hiding things. I set it again to show them.

Please delete the following files -

C:\Program Files\sf - explore doesn't see an sf folder, or any files.
C:\Program Files\Cas - no folder cas
C:\Program Files\CasStub - folder deleted

C:\WINDOWS\sfita.exe - not seen

C:\WINDOWS\System32\hklrun.exe - explore sees this "Error Deleting File or Folder Cannot delete HKLRUN: It is being used by another person or program. Close any programs that might be using the file and try again." [OK]
C:\WINDOWS\System32\SMSSU.EXE - not seen
C:\WINDOWS\System32\Tmntsrv32.EXE - not seen

I get an error ("A file that is required to run Search Companion cannot be found. You may need to run setup.") when I click Search to look for these files:
mshplwiz.exe - CMD DIR \mshplwiz.exe /s says File Not Found
RDUN.EXE - CMD ERASEd from \HJT, ERASE \BU050627\Documents and Settings\All Users\Start Menu\Programs\Startup\rdun.exe - says "The system cannot find the file specified."

I just checked, showing hidden/system files is still set. I emptied the Recycle Bin.

Performance testing:

Restarted Safe/Admin.
Ran CleanUp.
Ran SpyBot, created a registry backup, scanned:
No immediate threats were found.
Ran F-Prot Win 3.16b scan:
c:\windows\system32\wininet.dll infected Oleadm.A(exact) - Could not delete the file.
Ran Ad-Aware SE scan:
0 new critical objects
Ran AVG scan: clean.
TDS-3 scanned c:\windows: clean

More performance testing, for known Windows problems:
Search doesn't work, same message.
Help still has same error messages.
Control Panel/System/Hardware/Device Manager still has MMC error.
Trying to load Ewido signatures still gives NSIS error.

My top question:

c:\windows\system32\wininet.dll is still being a stubborn bugger - how can we get the good version of this one copied in??? Did you like my boot-diskette to alternate system files idea? (I will tell again if you like.)

See you tomorrow,
Kate
  • 0

#25
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi Kate,

lets fix the wininet.dll file.


Please boot in Safe Mode

rename C:\Windows\System32\wininet.dll as wininet.old.

Copy c:\windows\system32\dllcache\wininet.dll into c:\windows\system32\wininet.dll.

Upload c:\Windows\system32\wininet.dll at here and scan the file.

Post the scan results here.
  • 0

Advertisements


#26
KGHN

KGHN

    Member

  • Topic Starter
  • Member
  • PipPip
  • 66 posts
Hi Tampabelle,
I am so happy, the rename seemed to work.
I booted Safe/Administrator.
In Explore, I renamed C:\Windows\System32\wininet.dll as wininet.old.

There was no c:\windows\system32\dllcache\wininet.dll, so I copied c:\windows\servicepackfiles\i386\wininet.dll into c:\windows\system32\wininet.dll. (I noted a .dl_ version somewhere, but that was all the wininet.*s.)

I copied both the .old and the .dll to floppy.
I went to http://virusscan.jotti.org
I submitted wininet.old first:
File: WININET.OLD
Status: INFECTED/MALWARE
MD5 5e7fe802cdb358b1122b231ece9b6aca
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found Trojan.Oleadm.Callgate
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found Trojan.DownLoader.2636
F-Prot Antivirus Found Oleadm.A - Dropper
Fortinet Found Nsag.A
Kaspersky Anti-Virus Found Virus.Win32.Nsag.a
NOD32 Found Win32/Oleloa.A
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found Virus.Win32.Nsag.a

Scan of new/copied in c:\Windows\system32\wininet.dll found no problem.

I am going to restart, check those Windows problems, and report, and also a fresh HijackThis. Is there any other check I should run?

Yee hah,
Kate
  • 0

#27
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi Kate,

Can you attach the wininet.old file with your next reply ????

Go ahead and reboot your PC and let me know how it performs
  • 0

#28
KGHN

KGHN

    Member

  • Topic Starter
  • Member
  • PipPip
  • 66 posts
Hi again Tampabelle,

I booted Safe/Administrator.
Search doesn't work, same message.
Help still has same error messages.
Control Panel/System/Hardware/Device Manager still has MMC error.
Trying to load Ewido signatures still gives NSIS error.

I booted normal/Tina
Display Properties still has no Background tab, only Themes/Screen Saver/Appearance/Settings. How do I get rid of the nasty fake smitfraud warning wallpaper?

Here's wininet.old, attached. Oops, "Upload failed. You are not permitted to upload a file with that file extension." Renamed wininet.kkk.

Kate
  • 0

#29
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Can you rename the file as wininet.txt and then upload it ???



Copy the part in bold below into notepad and save it as background.reg
Save as type:All files (The first line in the file should be REGEDIT4)

REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]
"NoChangingWallPaper"=-
"NoAddingComponents"=-
"NoComponents"=-
"NoDeletingComponents"=-
"NoEditingComponents"=-
"NoCloseDragDropBands"=-
"NoMovingBands"=-
"NoHTMLWallPaper"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoActiveDesktopChanges"=-
"NoActiveDesktop"=-
"NoSaveSettings"=-
"ClassicShell"=-
"NoThemesTab"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoActiveDesktopChanges"=-


Doubleclick the file and confirm you want to merge it with the registry.


Let me know of the progress

Edited by tampabelle, 06 July 2005 - 12:06 PM.

  • 0

#30
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi Kate,

for the MMC error -

Try the folloiwng option -

1 . Using Windows XP CD


Place your XP CD in the drive, go to a command prompt and enter this command:

expand cdrom:\i386\devmgmt.ms_ %systemroot%\system32\devmgmt.msc

Replace cdrom with the appropriate drive letter.

If it still doesn't work, replacing devmgr.dll may work although that file should be fine since the snap-in works...

expand cdrom:\i386\devmgr.dl_ %systemroot%\system32\devmgr.dll

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP